1 of 1 people found this helpful
the topic is pretty complicated, I will try to give you some notes to begin, please let me know in case there are additional questions.
Setting up Proxy HA is basically pretty simple. You put both of your appliances into Central Management and then go to the Configuration tab and configure the proxy mode "Proxy HA" for each of the boxes individually. You have to make sure you are using the same virtual IP address and also the same number of virtual IP addresses, in case you are using more than one.
The port forwarding setting is not really obvious, but required. In Proxy HA Source and Destination have to be the same as your Proxy Port, e.g. if your clients talk to port 9090, please configure a redirect from port 9090 to port 9090.
Specify the priority (more on this topic later): 0 means "scanning only", everything eolse defines the priority of the director.
The Management IP is basically the local IP address of the node (please do not configure a virtual IP address here) which is used to detect other nodes for load balancing. From this IP addresses broadcasts are sent from the active director to detect the other MWGs which are available for scanning. All detected nodes will receive traffic.
In Proxy HA always one of the Nodes will be the director. There is no way to have two directors in an active/active way, always one will be active and answering to the virtual IP address. This director will accept traffic and will balance it between the locally running MWG and all other MWG instances found for balancing the load (broadcasts via Management IP).
If the active director goes down and there is another one available which has a priority > 0, that one will take over the virtual IP and continue serving traffic. Again all traffic will be balanced between the available nodes. Once the old one comes back (depending on the priority) the original director will become the director again.
If you specify the same priority on all directors the one who showed up first on the network will be the active node - as explained there is no active/active configuration.
Load balancing will always be performed depending on the nodes discovered. A directory by default also acts as a scanning node.
In your environment I would recommend to have both machines configured as a director with a differend priority. Load Balancing will automatically be performed but one of the nodes will take care (director) to send the incoming requests between the available boxes. If the active director dies, the second one will take over and access will still flow.
1.) I think this is totally up to you. There is no recommendation which traffic should be bound to what NIC. You can basically have all traffic go through one NIC. I would probably use one NIC to bind the physical and virtual IP addresses for accessing the GUI/Proxy and use the other NIC for the Management IP. VRRP interface should be the same as the interface used for the virtual IP address to detect link failure.
2.) As explained above, this is not very obvious, but you have to configure a port forward for your configured proxy ports, as described above. Otherwise load balancing will not occur.
3.) You need to specify a LOCAL IP address, therefore you can´t use the same IP on both GWs but need to specify one which is configured to one of your NICs.
4.) As explained earlier load balancing will always happen, but the active director takes care for balancing the load and holds the virtual IP address. Only one director can be active at the same time.
5.) This does not make any sense. mfend-lb -s can be used to see the current HA status. It only shows you what is happening, but does not do anything.
6.) I hope I have covered most topics above. In case there is anything else let me know.
this was very comprehensive answer from and I am very gratefull for that. A lot of things make sense now, however, I still have some questions.
I've just upgraded both GW to 126.96.36.199 version, each GW has it's own IP and they are both in cluster. Now, first of all, what is the difference between node priority under central management configuraiton and directory priority - which I do understand now.
Now about networking: Please correct if my configuration is wrong. The request is that traffic must pass through both NICs, so i would configure it like that:
GW1: (IP x.x.x.11): eth1 (primary), eth3
GW2: (IP x.x.x.21): eth1 (primary), eth3
Under proxes, each GW has it's local IP for management IP.
Under virtual IPs,
- on both GWs there would be Virtual IP x.x.x.31/24 for eth1
- on both GWs there would be Virtual IP x.x.x.32/24 for eth3
Is this configuration correct ? So in that case, proxy request from TMG server (stands before WG) would be send (web chaining) either to x.x.x.31 IP or x.x.x.32 IP ? as some kind of fault tolerance ?
Sorry for confusing configuration, however those are demands...
the Central Management priority and the director priority do not have anything in common. As explained the director priority allows to pick the node which will hold the virtual IP address and distribute traffic to all other MWG nodes. The Central Management priority is used in case your Central Management cluster is split for some reasons, changes have been made to both nodes independently and then the Central Management builds up again. In this case you would have two different configurations on your Nodes - the Central Management priority defines which configuration will be used in this case (lower value wins).
I am not sure if I understand the request "that traffic must pass through both NICs". Do you want to have the traffic from the TMG coming into eth0 and move on to the Internet through eth3, or do you maybe want to have a "backup" NIC in case eth0 dies, hardware or cabling wise?
I am not really sure how the two virtual IP addresses may help in this case. Maybe you can provide a quick picture to allow me to understand your request?
It's even more complicated than it sounds - in someone heads I was "thrown" into this mess and demand to accept all restrictions and management demands - yes the first idea was that traffic should be splitted to both GWs (load balancing) and also to two NIC on each GW (as fault tolerant for NIC).... However I managed to convince it was a bad idea to create two different virtual IPs etc. Now one NIC is for managing and other for scanning...
Ok now the only prolebm that still exists is load balancing. I don't quite get it how to create port forwarding. Is that under proxy ha (proxy redirect) or only port forwarding under configuration. Can you give me an example how to do that ?
I've already created proxy redirect (80, 443 to port 9090) but there is no difference...
Thank you !
1 of 1 people found this helpful
yes this is not really obvious from the GUI at the moment :-(
Look at my screenshot:
This is where you have to configure the "Port Forward". You can see that Source and Destination are "9090". "9090" is the proxy Port I have configured, e.g. my Client will configure the virtual IP on Port 9090 as their Proxy servers. Source and Destination must match the Proxy Port you defined a bit below on the same configuration page. If you are using port "8080" for example you must have a redirect with Source and Destination saysing "8080".
This does not make any logical sense (at least configuration wise), this just sets some switches in the configuration to properly work. This should happen automatically usually, but at the moment you just have to put in that redirect :-)
Please forget about the Configuration -> Port Forwarding section. This has again nothing to do with HA, but allows you to create TCP ports on MWG which are opened and redirected to somewhere else on TCP level. Unrelated for the Load balancing :-)
Please let me know if it makes more sense with the screenshot or if you need additional help.
OK, finally i got it somehow... but still not everything ...
I configured as you suggested but there is still no results of load balancing, only one GW is managing requests...
What did you mean with "Source and Destination must match the Proxy Port you defined a bit below on the same configuration page"... is there any special configuration for http proxy on the same configuration page ? I was convinced from network guy that this is correct...
you are also using Port 9090 so all you need to do is to setup the Port redirection as explained in my screenshot before, which says "Source: 9090" to "Destination: 9090".
You should be fine with that.
How do you check that only one applicance is handling the traffic? Please note that all requests will go to the director first and will be distributed among all available appliances from there. You will not see your Clients talking directly to the second node.
OK, so if understand you right... I have correct configuration there is also nothing to change at http proxy (0.0.0.0.:9090) is correct ?
Yes that's correct all requests are being made to director and none to other with low priority. Is there any possibilty to see what si the second gateway doing ? Because web, traffic summary stays empty...
I would basically check the access.logs on both machines. There should be something in there on both machines :-)
If you see everything is written into the directors access.logs, probably we have to verify the port forward is correctly in place. I have seen that sometimes changes only apply after a restart of the box, maybe you can schedule a reboot during the night?
Also please make sure the port redirects are configured correctly on all nodes that act as a director (so on both nodes I think in your environment).
If this does not help, can you send me the mfend-lb -s output from both boxes please?